> Date: Mon, 2 Aug 2010 00:25:35 -0400
> Subject: Re: [Fwknop-discuss] (newbie) knoptm cannot expire iptables rules
>
> > > Date: Sun, 25 Jul 2010 11:13:55 -0400
> > > From: [email protected]
> > > To: [email protected]
> > > Subject: Re: [Fwknop-discuss] (newbie) knoptm cannot expire iptables rules
> > >
> > > The end result will be a tarball of the test results in the test/
> > > directory. Can you send that to me?
> >
> >
> > Sorry for the delay; it's a side project and I've been busy.
> > Please find the test output attached.
>
> Thanks for sending that over. It appears to me that fwknop cannot execute
> any iptables command at all. Is it possible that SELinux is deployed on
> your system, and it preventing fwknopd and knoptm from executing iptables?
>
> Thanks,
>
> --Mike
Gah! I should've known. It was SELinux.
However, recall my observed behavior that (once I manually added the
FWKNOP_INPUT chain) fwknop could insert rules with SELinux enabled/enforcing.
The FWKNOP_INPUT chain was never created automatically. Does the logic to
create the chain depend on parsing output of iptables?
I ask because it appeared that the SELinux denials were on writing to the
.iptout and .ipterr files in /var/log/fwknop:
avc: denied { write } for ... comm="iptables"
path="/var/log/fwknop/fwknop.iptout" ...
scontext=unconfined_u:system_r:iptables_t
tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
Repeat the same for fwknop.ipterr, knoptm.iptout, and knoptm.ipterr.
So adding rules to the chain executes without needing to parse iptables output,
but deciding whether to create the chain or which rule to remove depends on
parsing -- which can't occur because iptables isn't allowed to write to
/var/log/fwknop.
I hope that helps.
-- Will
------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
